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The assurance of quality of service properties is an important aspect of service-oriented software 
engineering. Notations for so-called service level agreements (SLAs), such as the Web Service Level 
Agreement (WSLA) language, provide a formal syntax to specify such assurances in terms of (legally 
binding) contracts between a service provider and a customer. On the other hand, formal methods for 
verification of probabilistic real-time behavior have reached a level of expressiveness and efficiency 
which allows to apply them in real-world scenarios. In this paper, we suggest to employ the recently 
introduced model of Interval Probabilistic Timed Automata (IPTA) for formal verification of QoS 
properties of service-oriented systems. Specifically, we show that IPTA in contrast to Probabilistic 
Timed Automata (PTA) are able to capture the guarantees specified in SLAs directly. A particular 
challenge in the analysis of IPTA is the fact that their naive semantics usually yields an infinite set 
of states and infinitely-branching transitions. However, using symbolic representations, IPTA can be 
analyzed rather efficiently. We have developed the first implementation of an IPTA model checker 
by extending the PRISM tool and show that model checking IPTA is only slightly more expensive 
than model checking comparable PTA. 

1 Introduction 

One of the key tasks in engineering service-oriented systems is the assurance of quality of service (QoS) 
properties, such as 'the response time of a service is less than 20ms for at least 95% of the requests'. 
Service level agreements (SLAs) provide a notation for specifying such guarantees in terms of (legally 
binding) contracts between a service provider and a service consumer. A specific example for an SLA 
notation is the Web Service Level Agreement (WSLA) 1 8 , 3 1 language, which provides a formal syntax 
to specify such QoS guarantees for web services. The compliance of a service implementation with an 
SLA is commonly checked at runtime by means of monitoring them. 

However, due to the fact that an application or service may itself make use of other services, guar- 
anteeing probabilistic real-time properties can be difficult. The problem becomes even harder, when the 
service is not bound to a specific service provider but linked dynamically. Statistical testing of the ser- 
vice consumer together with all currently possible service providers can provide some evidence that the 
required probabilistic real-time properties hold. However, each time a new service provider is connected 
or in situations when a known service provider slightly changes the characteristics of the offered service, 
the test results are no longer representative. 

In the last couple of years, formal methods for verification of probabilistic real-time behavior have 
reached a level of expressiveness and efficiency that allows to apply them to real-world case studies 
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in various application domains, including communication and multimedia protocols, randomized dis- 
tributed algorithms and biological systems (cf. |15lll7J). Therefore, it is a natural step to investigate also 
their suitability to address the outlined challenges for guaranteeing QoS properties of service-oriented 
systems. In particular, dynamically linking of services in service-oriented systems introduces major 
difficulties concerning the analysis of their QoS properties. 

In this paper, we suggest to employ the recently introduced model of Interval Probabilistic Timed 
Automata [18. 1 (IPTA) which extend Probabilistic Timed Automata [ 12| (PTA) by permitting to specify 
intervals, i.e., lower and upper bounds for probabilities, rather than exact values. The contributions of this 
paper can be summarized as follows: (1) We show that IPTA (in contrast to PTA) are able to capture the 
guarantees specified in SLAs directly. The notion of probabilistic uncertainty in IPTA allows modeling 
and verifying service-oriented systems with dynamic service binding, where one can rely only on the 
guarantees stated in the SLA and no knowledge about the actual service implementation is available. 
(2) To the best of our knowledge, we present the first implementation of an IPTA model checker and 
show that it can analyze IPTA nearly as fast as comparable PTA. (3) We show that a naive analysis 
using sampling of PTA does not yield the correct results as predicted by IPTA. Furthermore, we provide 
evidence that checking equivalent PTA has a worse performance than checking the IPTA directly. 

Organization 

The rest of this paper is organized as follows. Section [2] demonstrates that IPTA naturally permit to 
capture the guarantees of an SLA when modeling the behavior of a service provider. Section[3]introduces 
the syntax and semantics of interval probabilistic timed automata. Section |4] discusses symbolic PTCTL 
model checking and the probabilistic reachability problem. In Section |5] we present our tool support. In 
Section [6] we show that IPTA checking is only slightly more expensive than PTA checking. We show 
that using sampling of the probability values in the intervals to derive a representative set of PTA does 
neither scale as good as IPTA checking nor does it work correctly. Finally, we demonstrate that also an 
encoding of IPTA in form of a PTA does not scale as good as IPTA checking. In Section [7] we discuss 
related work. Section [8] contains conclusions and future work. 

2 Quality of Service Modeling 

Since in the service-oriented paradigm, compositionality is employed to construct new services and 
applications, the interaction behavior of a service-oriented system can be captured by a set of commu- 
nicating finite state automata. For instance, a simple service-oriented system can consist of a service 
provider and a service consumer, both represented as automata, which communicate according to a spe- 
cific protocol, given by a service contract. 

The QoS of a service-oriented application is often as important as its functional properties. Val- 
idation of QoS characteristics usually requires models, which capture probabilistic aspects as well as 
real-time properties. Probabilistic Timed Automata [ 12 1 (PTA) are an expressive, compositional model 
for probabilistic real-time behavior with support for non-determinism. However, a limitation of PTA is 
the fact that only fixed values for probabilities can be expressed. In practice, it is often only possible to 
approximate probabilities with guarantees for lower and upper bounds. For this reason. Interval Prob- 
abilistic Timed Automata [ 1 8 1 (IPTA) generalize PTA by allowing to specify intervals of probabilities 
as opposed to fixed values. This feature is particularly useful to model guarantees for probabilities as 
commonly found in service level agreements (SLAs). 
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Listing 1 : A response time guarantee in WSLA 



<Metric name="NormalRespoiisePercentage" type="float" unit="Percentage"> 
<Source>ServiceProvider</Source> 

<Fuiictioii resultType=" float" xsi : type="wsla:PercentageLessTharLThreshold"> 
<Metric>ResponseTime</Metric> 
<Value> 

<LongScalar>20</LongScalar> <! — Normal responses take less than 20ms — > 
</Value> 
</Function> 
</Metric> 

<Obligations> 

<ServiceLevelDbjective iiame="ResponseTimeGuarcaitee"> 
<Dbliged>ServiceProvider</Obliged> 
<Expressioii> 

<Predicate xsi : type="GreaterEqual"> 

<SLAParameter>NormalResponsePercentage</SLAParameter> 
<Value>0 . 95</Value> <! — At least 95% normal responses — > 

</Predicate> 
</Expression> 
</ServiceLevelDbjective> 
<Obligations> 



As a concrete example of an SLA, Listing[T]contains an adaption of a WSLA specification presented 
in f8|. In the upper part, a metric called NormalResponsePercentage is defined which contains the 
percentage of response events which took less than 20ms. The actual service level agreement is de- 
fined in the lower part in terms of a service provider obligation called ResponseTimeGuarantee. This 
obligation assures that the percentage of responses that take less than 20ms is at least 95%. 

Figure [T] depicts a PTA for a client/server application in which the server guarantees a probability 
of (exactly) 95% for response times of less than 20ms. The client is modeled as another PTA which 
synchronizes with the server using the request and response actions. Note that the client model is actu- 
ally just a Timed Automata (TA), because no probabilities are employed. However, in the cases where 
probabilities also matter, we would need exact knowledge of them to be able construct a proper PTA. 



x<20 




response 
x>20 



Figure 1 : PTA for a client (left) and a server (right) 



This small example shows that PTA, similarly to other automata models, consist of set of states (or 
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locations) and transitions (or edges). The time related behavior is specified using clocks (as x in the 
server) which can be reset (x := 0), tested in conditions for transitions (x > 20) and also state invariants 
(x < 20 for S2). Note that we use the constant T to denote a constant timeout value in the invariant 
X < T. A clock such as x simply increases with progressing time, unless it is explicitly reset. The 
conditions block the transition until the clock constraint is fulfilled. Moreover, the state invariant ensures 
that (1) no transition leads to this state when this would result in invalidating the state invariant, and 
(2) the automaton can no longer stay in this state when this would also lead to a violation of the invariant. 
In addition to purely non-deterministic behavior, i.e. when multiple transitions with the same action 
are enabled, probabilities can be associated with transitions, e.g. 0.95 for the request transition leading 
to the state S2, and 0.05 leading to the state ^^3. Note that for probabilistic transitions, all alternative 
branches must sum up to 1. Formally, the target of a transition in a PTA is not a single state, but a 
discrete probability distribution over the set of all states. Thus, in addition to purely nondeterministic 
choice, PTA allow to specify the likelihood of an event. Note also that the existence of a parallel operator 
(written as ^1 || ^2 where and =^2 are PTA) moreover allows to synchronize two automata via 
shared actions, which enables compositional modeling. 

However, the Interval Probabilistic Timed Automaton (IPTA) of a server in Figure [2] additionally 
allows to capture the 'at least 95%' semantics of the SLA in Listing [T] The difference to the PTA model 
is that in IPTA it is possible to specify probabilistic behavior with a level of uncertainty. Specifically, 
IPTA allow to specify intervals of probabilisties as opposed to the exact probabilities used in PTA. The 
semantics of intervals in contrast to exact values is that each time a probabilistic decision is necessary, any 
of the usually uncountable many probability distributions which lie within the lower and upper bounds 
of the intervals denote a valid behavior. Therefore, probability intervals match better with the guarantees 
commonly found in SLAs, such as 'with at least 95% a request is answered within 20ms'. Note that we 
did not model the client as another IPTA here, but just as the TA in Figure [T] However, similarly to the 
modeled server, we can also model uncertain probabilistic behavior in the client, such as 'with at least 
75% a request is made within 50ms'. The parallel composition of IPTA then allows to derive a model of 
the complete system. 



Given such models in form of PTA or IPTA, we can now employ model checking to verify proba- 
bilistic real-time properties for the composed system, specified in an appropriate probabilistic real-time 
logic. In our case, we might be interested in the property 'the probability that 1 out of 10 responses is too 
slow is at most 5%'. As we will demonstrate later in this paper, there are important differences between 
the outcome of such an analysis depending on whether we employ the PTA using exact probabilities or 
the IPTA which allows to specify only lower and upper bounds. In particular, no sample set of PTA 
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Figure 2: IPTA for a simple server 



68 



Model Checking Probabilistic Real-Time Properties for Service-Oriented Systems 



derived from the IPTA by choosing values from the interval is in general sufficient to derive the same 
result as the analysis of the IPTA. 

3 Interval Probabilistic Timed Automata 

Interval probabilistic timed automata (IPTA) ifTSl integrate the probabilistic real-time modeling concepts 
of probabilistic timed automata (PTA) iT2| and the idea of probabilistic uncertainty known from interval 
Markov chains [16|. Thus, they not only provide a way to distinguish between purely probabilistic and 
nondeterministic (timed) behavior, but also allow to specify uncertain probabilities using lower and upper 
bounds. These ingredients make IPTA a suitable formal model for the specification and verification of 
QoS assurances that can be commonly found in SLAs. 

3.1 Preliminaries 



Discrete probability distributions 

For a finite set S, Dist{S) is the set of discrete probability distributions over S, i.e., the set of all functions 
|i : S — )■ [0, 1] , with Y,ses M ('^) = 1 ■ The point distribution jU* is the unique distribution on S with (5) = 1 . 

Clocks, valuations and constraints 

Let denote the set of non-negative reals. Let ^ = {xi, . . . ,x„} be a set of variables in M+, called 
clocks. An ^ -valuation is a map v: ^ ^ M+. For a subset X C ^ , v\K := 0] denotes the valuation v' 
with v'(;c) =Oif X and v'{x) =v{x) ifx^X. Ford G M+, v+d is the valuation v" with v"(x) =v{x)+d 
for all X G A clock constraint on ^ is an expression of the form xtx\corx — y(xic such that 
x,y £ , c G M+ and ixi G {<,<,>,>}, or a conjunction of clock constraints. A clock valuation v 
satisfies ^, written as vc> if and only if C, evaluates to true when all clocks x G ^ are substituted with 
their clock value v(x). Let CC(^) denote the set of all clock constraints over 

3.2 Syntax 

Before defining IPTA formally, we introduce a syntactical and, thus, finite notion of probability interval 
distributions. 

Definition 3.1 (Interval distribution) Let S be a finite set. A probability interval distribution X on S 

is a pair of functions A = (A^, A") with : 5 — ?■ [0, 1], such that X^{s) < X"{s) for all s £ S and 

furthermore: 

IA^(.)<1<£A«(.) (1) 

i6S seS 

The set of probability interval distributions over S is denoted by IntDist{S). The support of X is defined 
as Supp{X) = {s £ S\X'\s) > 0}. Let X* be the unique interval distribution that assigns (1,1) to s, and 
(0,0) to allt G S,t ^s. 
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A probability interval distribution A is a symbolic representation of the non-empty, possibly infinite 
set of probability distributions that are conform with the interval bounds: {jJ. £ Dist{S) | Vs G 5 : A^(i') < 
IJ.{s) < X"{s) }. If clear from the context, we may abuse notation and identify A with this set and also 
write /I G A if and only if jj. respects the bounds of A . Note that interval distributions are also used (in 
a slightly different syntax) in the notion of closed interval specifications in Q . However, the explicit 
definition using lower and upper interval bounds in our model enables a syntactical treatment of interval 
distributions which is useful, e.g., in the following notion of minimal interval distributions. 

Definition 3.2 (Minimal interval distribution) An interval distribution X on S is called minimal if for 
all s £ S the following conditions hold: 

1- ^"(^)+IrE5Mv^'(0<l 
2. A^(.) + i:,,5,^,A"(0>l 

Minimal interval distributions have the property that the bounds of all intervals can be reached (but 
not necessarily at the same time). Although minimality is formally not needed in the properties that we 
consider here, it is often a desirable requirement since it can serve as a sanity check for a specification. 
For instance, the interval distribution A = i— (0.4, 0. 5), f i— (0.4,0.5) } is not minimal because con- 
dition |2] is violated. Here, the lower bounds of 0.4 can never be reached. In fact, the only probabiUty 
distribution that is conform with the interval bounds is /i = {5 i— )• 0.5, f 1— )■ 0.5}. Thus, the minimality 
condition is a useful requirement which allows to verify the validity of interval bounds. Note also that 
it is always possible to derive a minimal interval distribution from a non-minimal one by pruning the 
interval bounds, e.g., by setting A"(5) := 1 — Y.tes,t=/^s^^'{^) if condition[T]is violated for the state s. 

Definition 3.3 (Interval probabilistic timed automaton) An interval probabilistic timed automaton is 

a tuple J' = {L^LP , ^ ,inv,prob,^) consisting of: 

• a finite set of locations L with L" C L the set of initial locations, 

• a finite set of action si , 

• a finite set of clocks , 

• a clock invariant assignment function inv : L — t- CC(^) 

• a probabilistic edge relation prob C L x CC(^) x £/ x IntDistil"^" x L), and 

• a labeling function ^ : L — t- 2^^ assigning atomic propositions to locations. 

Note that for more flexibility and a clear separation between communication and state invariants, our 
IPTA model contains both actions on transitions and atomic propositions for states. This approach is also 
in line with our tool support based on an extended version of PRISM (see Section |5]l. 

As an example, we consider the IPTA model of a simple server depicted in Figure[2] where we denote 
interval distributions by small black circles. The set of actions is ^ = {request, response}, and the clocks 
are = {x}. For simplicity, we do not include atomic propositions here. Moreover, we associate the 
interval [1,1] with edges that have a support of size 1. The server modeled by this IPTA responds to 
an incoming request within 20ms with a probability between 95% and 100%. These lower and upper 
bounds can arise in scenarios where the exact probabilities are unknown or cannot be given precisely, 
e.g., due to implementation details. For instance, one can imagine that the server relays all requests to 
an heterogeneous, internal server farm, in which the success probability depends on the currently chosen 
server. 
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Composition 

An important aspect of the service-oriented paradigm is compositionality, i.e., the fact that new services 
can be built by composing existing ones. Therefore, it is also crucial to support composition at the 
modeling level. In our approach, a parallel operator for IPTA is used for this purpose. The parallel 
composition of IPTA is defined analogously to the one for PTA. However, we need to compose interval 
distributions instead of probability distributions. 

Definition 3.4 (Parallel composition) The parallel composition of two interval probabilistic timed au- 
tomata J^- = {Li,L^,£/i, ^j,invi,probi,J^i) with i G {1,2} is defined as: 

J^i II J^2 = (Li X L2,l1 X L2,S!/iU .s/2, ^2,inv,prob,^) 

such that 

• ^{{h,h)) = ^i{h)^ ^lih) for all h e Luh ^ L2 

• inv{{li,l2)) = invi{li) Ainv2{l2) for all li €z Li,l2 ^ Li 

• {{h,l2) ,1^ ,o,X) G prob if and only if one of the following conditions hold: 

1. a G £/i\£/2 and there exists {li,l^, a, X[) £ prob ^ such that X = Xi ® X'^j^ ^^-^ 

2. a £ s^2 \ M <^nd there exists {l2,^ ,a,X2) £ prob2 such that X = X*^ ®X2 

3. a G n £^2 cmd there exists {li, l^i,a,Xi) G probj such that X = Ai (8) A2 and ^ = A ^2 
where for 

Xi^X2{X,UX2,{h,h)Y = X(iX,,h).X^{X2,l2) 

Ai X2 {Xi UX2,{luh)r = X{' (Xi , /i ) • A| {X2,l2) 

Thus, the product of two interval distributions is simply defined by the product of their lower and 
upper bounds. Note also that the parallel composition for IPTA synchronizes transitions via shared 
actions, and interleaves transitions via unshared actions. 

3.3 Semantics 

The semantics of IPTA can be given in terms of Timed Interval Probabilistic Systems (TIPS) fTF], which 
are essentially infinite-state Interval Markov Decision Processes (IMDPs) |[T6]| . 

Definition 3.5 (Timed interval probabilistic system) A timed interval probabilistic system is a tuple 
^ = {S , £/, Steps , ^) consisting of: 

• a set of states S with 5*' C S the set of initial states, 

• a set of actions £/, such that a/ Pi M+ = 0, 

• a transition function Steps : S 2^'^^^+^^'"^'^''"^^\ such that, if{a,X) G Steps{s) and a G M+, then 
X is a point interval distribution, and 

• a labeling function ^ : 5 — t- 2^^ assigning atomic propositions to states. 

The operational semantics of a timed interval probabilistic system can be understood as follows. A 
probabilistic transition, written as s "'^'^y s' , is made from a state G 5 by: 
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1. nondeterministically selecting an action/duration and interval distribution pair (a, A) G Steps (s), 

2. nondeterministically choosing a probability distribution /i G A, 

3. making a probabilistic choice of target state s' according to jj.. 

A path of a timed interval probabilistic system is a non-empty finite or infinite sequence of probabilistic 
transitions: 

ao,?^,^l(, «2.^2.M2 
CO = Sq > Si > S2 > . ■ . 

where for all / G N it holds that Sj G S, {ai,Xi) G Steps{si), jj./ G A,- and IJ.i{si) > 0. We denote with G)(/) 
the (/+ l)th state of CO, and with last{co) the last state of CO, if it is finite. An adversary is a particular 
resolution of the nondeterminism in a timed interval probabilistic system Formally, an adversary A for 
^ is a function mapping every finite path ft) of =^ to a triple (a, such that (a, A) G Steps{last{co)) 
and /I G A. We restrict ourselves to time-divergent adversaries, i.e., we require that time has to advance 
beyond any given time bound. This is a common restriction in real-time models to rule out unrealizable 
behavior. The set of all time-divergent adversaries of ^ is denoted by Adv^y. 

For any 5 G S and adversary A G Adv j, we let Path^^^^j^{s) and Paths^ji{s) be the sets of all finite and 
infinite paths starting in s that correspond to A, respectively. Under a given adversary, the behavior of 
a timed interval probabilistic system is purely probabilistic. Formally, an adversary for a timed interval 
probabilistic system induces an infinite discrete-time Markov chain and, thus, a probability measure 
Probf 

over the set of paths Pathsj^^ii{s) (cf. ||9l for details). The semantics of an IPTA can be given by a 
TIPS as follows. 

Definition 3.6 (TIPS semantics) Given an IPTA J = {L,L^,£^, ,^ ,inv,prob,^). The TIPS semantics 
o/ is the timed interval probabilistic system = {S,S^\£/ , Steps, where: 

• S Q Lx , such that {l,v) G S if and only if v>inv{l), 

• 5o = {(/,v[jr :=0]) |/GL0} 

• (a, A) G Steps{{l,v)) if and only if one of the following conditions holds: 

— Time transitions: a = t& M+, A = A* ^.^^^ and v + t'> inv{l) for allO <t' <t 

— Discrete transitions: a G and {l,C,,X) G prob such thatv>^ and for any {l',v') G S: 

* A^(/',v')=IxcirAv'=v[X:=0]A^(X,/') 

* A"(/',V') =i:xc^Av'=v[X:=0]A"(X,ZO 

• ^'{{l,v))=^{l)forall{l,v) eS. 

4 Symbolic model checking 

In this section, we recall the symbolic approach for PTCTL model checking as introduced for PTA in lfT3]| 
and adapted for IPTA in [ 18 ]. Moreover, we discuss in more detail an iterative algorithm for computing 
the maximum and minimum probabilities for reaching a set of target states. 

4.1 PTCTL - Probabilistic Timed Computation Tree Logic 

Probabilistic Timed Computation Tree Logic (PTCTL) |[T2l can be used to specify combined probabilis- 
tic and timed properties. Constraints for probabilities in PTCTL are specified using the probabilistic 
threshold operator known from PCTL. Timing constraints in PTCTL are expressed using a set of system 
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clocks X , which are the clocks from the automaton to be checked, and a set oi formula clocks 3f, which 
is disjoint from The syntax of PTCTL is given by: 

::=a I CI ^0 I V0 I Z.0 I ^^k[^ ^0] 

where: 

• a G AP is an atomic proposition, 

• G CC(^ U iF) is a clock constraint over all system and formula clocks, 

• z-<p with z G is a reset quantifier, and 

• ^^K-[-] is a probabilistic quantifier with ~ G {<, <, >, >} and K G [0, 1] a probability threshold. 

As an example for the specification of a combined probabilistic and timed property, the requirement 
for a bounded response time, e.g. 'with a probability of at least 95% a response is sent within 20ms' can 
be formalized in PTCTL as the formula: 

z.^>o.95[true {responseSent Az < 20)] 

Furthermore, it is possible to specify properties over system clocks, e.g. the formula: 

[{x>4)^{z = S)] 

represents the property 'with a probability of at most 5%, the system clock x exceeds 4 before 8 time 
units elapse'. For the formal semantics of PTCTL, we refer to lfT2l . 



4.2 Symbolic states 

Since the timed interval probabilistic systems that are being generated as the semantics of an IPTA are 
in general infinite, it is crucial to find a finite representation which can be used for model checking. For 
this purpose, symbolic states are considered in |[T3l[T8l . which are formally given by a pair (/, Q of a 
location / and a clock constraint i^, also referred to as zone in this context. A symbolic state (/, Q is a 
finite representation of the set of state and formula clock valuations { {{l,v),(§) | v,(^t> ^ }. Based on 
this finite representation using the notion of zones, PTCTL model checking is realized by recursively 
evaluating the parse tree of a given formula, computing the set of reachable symbolic states. 



4.3 Probabilistic reachability 

The probabilistic quantifier can be evaluated by (i) computing the minimum and maximum prob- 

abilities for reaching a set of states, which is also referred to as the problem of probabilistic reachability, 
and (ii) comparing these probabilities with K" 1 13|. Formally, the problem of probabilistic reachability 
can be stated as follows. Let A be an adversary for a TIPS ^ = {S,so,£/, Steps, and F C 5 be a set 
of target states. The probability of reaching F from a state 5' G 5 is defined as: 

pj(F) = Prob^{co G Pathsf^i,{s) | 3/ G N : co{i) G F} 

Then, the minimal and maximal reachability probabilities of F are defined as: 

p™"(f)= inf pf^iF) p-''(f)= sup p^F) 

AeAdvy AeAdvs 
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Iterative algorithm 

The minimum and maximum probabilities for a set of target states in a TIPS can be computed using an 
iterative algorithm |[T6l[T8l known as value iteration, which is used to solve the stochastic shortest path 
problem [ \\ for (interval) Markov decision processes. 

Let = {S,S^ Steps, ^) be a timed interval probabilistic system and F C 5 be a set of target 
states. Moreover, let F C 5 be the set of states from which F cannot be reached. We define {pn)neN as 
the sequence of probability vectors over S, such that for any s £ S: 

• p,j(s) = 1 if 5' G for all « G N, 

• p^(s) = if 5 G F for all n G N, 

• Pn{s) is computed iteratively if s £ S\{FUF) by: 

Po{s)=0 

p„+i{s)= max £ Atr''(0-/'«(0 

where we consider an ordering fi , f2 , ---tN of the states Supp{X), such that the vector p„{t\),pn{t2),- ■ ■ ,Pn{tN) 
is in descending order, and jU™'"' is defined as follows with m G {1, . . . jA'^jj^ 

^iritm) = min (nt^), ( 1 -z^ntd - 1 ^'(^o ) ) 

V V '=1 '=™+i / / 

Then Pn{so) converges to p'^'^^{F) for « — oo. For a correctness proof of this algorithm we refer to lITSll . 
Note also that except for the additional sorting of the support set, the complexity for computing the 
maximum and minimum probabilities for IPTA is the same as for PTA. 

Note that PTCTL model checking (interval) probabilistic timed automata is EXPTIME-complete. 
However, for certain subclasses of PTCTL the model checking problem can be shown to be PTIME- 
complete (cf. |6|). 



5 Tool Support 

PRISM 4.0 ifTOl is the latest version of the probabilistic model checker developed at the University of 
Oxford. For various probabilistic models, including PTA, PRISM provides verification methods based 
on explicit and symbolic model checking, and discrete-event simulation. 

We have extended PRISM 4.0 with support for IPTA]^ Our implementation adds the new operator 
'~' to the PRISM language which can be used to specify probability intervals (/ ~ m : . . . ) and not only 
exact probabilities (0.95 : . . . ). Moreover, we adapted the implementation for computing the minimum 



and maximum probabilities for reaching a set of target states based on the definitions in Section 4.3 

Listing [2] contains the PRISM code for the server IPTA in Figure [2] and an IPTA for a client which 
performs a fixed number of requests and then terminates. The constants L and U are used to declare the 
lower and upper interval bounds for a successful request, e.g. by setting L=0 . 95 and U=l we obtain the 
IPTA in Figure |2] Note that we need to set the module type to ipta to be able to specify probability 
intervals. Fixed probabilities are also supported and interpreted as point intervals. Thus, any PTA model 
is also a valid IPTA model in our tool. Note also that the invariant section is used in PRISM 4.0 to 
associate clock invariants to locations, such as ;c < 20 for the state s = I. 



' Note that Y-ILk ^ =^ whenever k> m. 



Our IPTA extension of PRISM is available at www . mdelab . org/?p=50 
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Listing 2: Client/Server system as a PRISM-IPTA 



ipta 

const double L; // Lower probability for normal response 
const double U; // Upper probability for normal response 
const int REQUESTS; // Number of requests 
const int TIMEOUT = 30000; // Timeout value 

module Server 

s : [0. .2] init 0; 

w : [0 .. REQUESTS] init 0; // Number of slow responses 

X : clock; 

invaricoit 

(s=0 => x<100) & (s=l x<20) & (s=2 x<TIMEOUT) 
endinvariant 

[request] (s=0 & w<REQUESTS) (L--U) : (s'=l)&(x'=0) 

+ ((l-U)-(l-L)) : (s'=2)&(w'=w+l)&(x'=0) 
[response] (s=l & x<20) I (s=2 & x>20) (s'=0)&(x'=0) ; 
endmodule 

module Client 

t : [0. .REQUESTS] init 0; 

y : clock; 

invariant 

(y<=TIMEDUT) 
endinvariant 

[request] t<REQUESTS (t'=t+l)&(y'=0) ; 
[] t=REQUESTS (y'=0); 

endmodule 

label "lessThanSOPercentSlow" = (t=REQUESTS & w<REQUESTS/2) ; 
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28 

29 

30 

31 
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Note also that we have extended the original server of the example in Figure [2] here by recording the 
number of slow responses that occurred so far using the variable w. Moreover, the client now performs 
only a pre-defined number of requests, given by the constant REQUESTS. This allows us to control and 
count the number of subsequent requests and (slow) responses and to reason about probabilities for 
specific scenarios, such as the probability that less than 50% of all requests will result in a slow response. 
This particular property is encoded using the label lessThanSOPercentSlou in line 32. Note also that 
this definition of the client provides a convenient way to scale the size of the state space by increasing the 
number of requests, i.e. the constant REQUESTS. This is particularly useful for conducting benchmarks, 



e.g. for measuring the run-times of the model checker for different model sizes (cf. Section 6.3 1. 



For the two modules defined in Listing [2j PRISM forms the system to be analyzed as the paral- 



lel composition of the server and the client, (cf. Definition 3.4 1. In the following section, we give an 



evaluation of our analysis approach and tool support using this example. 
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6 Evaluation 

In this section, we compare the IPTA model in Listing [2] with PTA encodings of the same example. In 
particular, we show that PTA encodings either yield incorrect results (sampling with exact probabilities) 
or result in a blow-up of the model which causes a decay in the run-times of the model checker (equivalent 
model). 

6.1 Difference to sampling 

For an initial test, we have set the constants in our example to L=0 . 7, U=0 . 8 and REQUESTS=2. Using 
the IPTA version of PRISM, we then calculated the minimum and maximum probabilities for the prop- 
erty that one out of two responses was slow: (t=2 & w=l). The computed minimum and maximum 
probabilities are: 

To illustrate the difference to approaches with fixed probabilities, we also encoded this example as a pta 
model, where we tested the following probabilities for normal response times: y=0.7, 0.75 and 0.8. For 
this model and the above property, we obtain the following probabilities: 

p%t'^ = 0.42 p^t''' = 0.375 p^T^ = 0.32 

It is obvious that these three samples are not sufficient to obtain the actual minimum and maximum 
probabilities as predicted using the IPTA model. In fact, no fixed value for y in the interval [0.7,0.8] 
produces the correct results, because the probability for the chosen property is minimal / maximal when 
y is chosen differently for each request. To illustrate this situation we computed the solutions analytically, 
depicted in the graph in Figure [3] 

f, [p'=0.71 

h 



0.5 
0.45 

0.4 
0.35 

0.3 
0.25o 

Figure 3: Analytic solutions for the property 'one out of two response is slow' 

The plane in the middle represents the solution for the sampling-based pta approach, which reaches 
a minimum probability of 0.32 for y=0.7 and a maximum probability of 0.42 for y=0.8. The upper and 
lower plane depict the IPTA version which reaches a minimum and maximum probabilities of 0.3 and 
0.45, respectively. Therefore, the sampling approach using PTA is not sufficient for determining the 
correct minimum and maximum probabilities in the original IPTA model. 
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6.2 Encoding IPTA as PTA 



Although the semantics of an interval distribution, i.e., the set of all probability distributions that respect 
the bounds of its intervals, is in general infinite, it is still possible to encode any finite IPTA into an 
equivalent, finite PTA. This encoding, which we also refer to as PTA*, works as follows 

• The actions, clocks and locations of the PTA are the same as in the IPTA. 

• For every transition s-^X in th e IP TA and any ordering of the set Supp{X) add the transition 



^i^^max jjjg p-p^ Section 



4.3) 



As an example, Figure|4]depicts the PTA* encoding of the server IPTA in Figure[2] From the construc- 
tion, it is clear that this encoding preserves probabilistic reachability, i.e., the minimum and maximum 
probabilities for reaching a set of target states in this PTA is the same as for the original IPTA. However, 
the number of generated transitions in the PTA is exponential in the size of the support of the transition. 
Thus, there is a significant blow-up in the size of the model. Even in our simple example in Figure |2] 
where the support sets have a size of at most 2, the larger number of transitions in the PTA* encoding 
results in longer run-times of the model checker. To illustrate this, we increased the number of requests 
performed by the client in our running example and compared the run-times of PRISM. 

x<20 
response 




response 
x>20 



Figure 4: PTA* encoding of the server IPTA 



6.3 Comparison of the run-times 

Table [T] summarizes the run-times of our IPTA version of PRISM for three different encodings of the 
running example: 

1 . PTA: sampling approach where a single probability distribution in the interval distribution is tested; 

2. IPTA: the original model as in Listing [2| 

3. PTA*: the encoding of the original IPTA using jU™'"'; 

The checking of the PTA version was the fastest. However, we have shown above already that such 
a naive analysis using sampling does not produce the correct results. While the PTA* version yields the 
correct results, the numbers show that the direct checking of the IPTA is more efficient. This is due to the 
fact the number of transitions to be checked in PTA* encoding is higher than in the original IPTA. The 
actual numbers of the transitions in the example are listed in Table|2] Note that in our simple client/server 
example, the support sets of the transitions are very small (of size 1 or 2). We expect that with a greater 
branching of transitions, the performance loss using the PTA* encoding gets significantly worse. 

■^The PTA* encoding is similar to tlie MDP reduction of IMDPs in 1161 . 
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#Requests 


#States 


PTA 


IPTA 


PTA* 


10 


235 


0.752 


0.804 


0.816 


20 


865 


2.274 


2.625 


2.888 


30 


1,895 


7.274 


7.818 


9.225 


40 


3,325 


19.170 


21.662 


25.990 


50 


5,155 


43.573 


47.908 


57.847 



Table 1: Runtime in seconds for computing minimum probabilities for 'less than 50% slow responses' 



#Requests 


PTA 


IPTA 


PTA* 


10 


339 


339 


521 


20 


1,269 


1,269 


2,031 


30 


2,799 


2,799 


4,541 


40 


4,929 


4,929 


8,051 


50 


7,659 


7,659 


12,561 



Table 2: Number of transitions for different encodings of the client/server example 

7 Related work 

Probabilistic reachability and expected reachability for PTA based on an integral model of time (digital 
clocks) is studied in ifTTI . A zone-based algorithm for symbolic PTCTL ||T3| model checking of PTA is 
introduced in fT3). A notion of probabilistic time-abstracting bisimulation for PTA is introduced in m. 
For an overview of tools that support verification of (priced) PTA we refer to the related tools section 
in ifTOl . Interval-based probabilistic models and their use for specification and refinement / abstraction 
have been studied already in '91 in |5j. PCTL model checking of interval Markov chains is introduced 
in fT6\. Symbolic model checking for IPTA is presented in |18| based on the approaches in fTT, T6l. 
However, no tool support or evaluation is given. Moreover, we show here that IPTA can also be encoded 
into PTA and provide some empirical data for comparing the differences in terms of correctness and 
run-times of our model checker. 

Quality prediction of service compositions based on probabilistic model checking with PRISM is 
suggested in [4|. A comparison of different QoS models for service-oriented systems and an extension 
of the UML for quantitative models is given in fTl. A formal syntax for service level agreements of web 
services can be given using WSLA ||8]|3l. A compositional QoS model for channel-based coordination 
of services is presented in lfT4l . 

8 Conclusions 

We demonstrated in this paper how the recently introduced model of Interval Probabilistic Timed Au- 
tomata |[T8l (IPTA) can be employed to model and verify quality of service guarantees, specifically, prob- 
abilistic real-time properties for service-oriented systems with dynamic service binding with contracts 
specified in service level agreements. We have shown that IPTA can capture the guarantees specified in 
the SLAs more naturally than PTA. To the best of our knowledge, our extension of the PRISM tool is 
the first implementation of an IPTA model checker. Moreover, we were able to show that IPTA can be 
analyzed nearly as fast as sample PTA and faster than a possible encoding of an IPTA in a finite PTA. 
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As future work, we plan to study refinement notions for IPTA wliicfi we liope will enable us to reason 
compositionally about QoS guarantees of service-oriented systems. 
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